LDAPS inexplicably working on 2 DCs, not on 3rd

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

LDAPS inexplicably working on 2 DCs, not on 3rd

L0 Member

Please suggest a better title, this issue has sent me through the ringer.

 

We have a site with an MPLS connection down.  The PAs use the domain controller in our datacenter for authentication for both admin, and GP users, which is over the MPLS.  LDAP requests of coures.. fail.

 

 

We also have a DC in Azure, which the PA has an IPSEC tunnel attached through the backup broadband connection at the office.  Users logging into computers onsite, eventually have their login sent to Azure, and they authenticate properly.

 

External users trying to connect to the local VPN, can't authenticate.

 

I created a new LDAP server profile, and a new authentication protocol.  The only way it will work, is to set the port to 389, and to uncheck the SSL button.

 

However, the two other LDAP server that are configured , which are setup from the panorama, AND are the same on all 15 of my PAs,  use port 636, with the SSL box checked.  On other PAs, there are no issues with Authentication.

 

When I use ldp.exe to connect to the ldap servers, oddly enough, they all work with 389 no SSL.  They also all FAIL when trying to connect with 636 and SSL.

 

Is there some kind of magic allowing the other servers to work?  I of course inherited the network, but I know we don't have a Cert Authority.  So it would seem I haven't met the requirements for using LDAPS. 

 

What I'm after, is trying to figure out how the main 2 servers are working on port 636, and if legitimate, I'd like to make those changes to the AZURE server.  This way I can add the AZURE server to the list on the LDAP server profile, so i'm covered in the future.  The only certificates configure on the PA, are a Root, Intermediate , and Wildcard certificate ( full chain)

 

Please let me know if you have any questions.

 

Thank you!

1 REPLY 1

L0 Member

If they are actuall working on LDAPS,  I don't want to step down the security if I don't have to!

  • 1625 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!